SlideShare una empresa de Scribd logo

OpenID AuthZEN ALFA PEP-PDP Prior Art

Descargar como PPTX, PDF
David Brossard
David Brossard

An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.

Tecnología
1 de 19
1 axiomatics.com OpenID AuthZEN Prior Art ALFA - Abbreviated Language for Authorization David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/
2 axiomatics.com axiomatics.com TL;DR; There’s an OpenAPI specification for the interfaces I am about to cover. 👉GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec
3 axiomatics.com axiomatics.com Background • ALFA is first and foremost a policy language • ALFA follows NIST’s ABAC special publication o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC • ALFA is based on XACML o It uses a lightweight syntax similar to Java • ALFA leverages the JSON Profile of XACML to send/receive authorization requests o JSON Profile of XACML 3.0 Version 1.1 • The JSON Profile of XACML references the REST Profile of XACML for the actual transport o REST Profile of XACML v3.0 Version 1.0 • The transport part (HTTP…) is entirely decoupled from the request/response format. o They’re 2 different specs (see above)
4 axiomatics.com axiomatics.com Use Cases ALFA supports the same authorization use cases as XACML: • Binary authorization request o Can Alice view Document #1? o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ • Batch authorization requests o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3? o 3x3x3 decisions are returned o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0 • ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search o This is something vendors have had to build themselves o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation
5 axiomatics.com axiomatics.com Attributes are the core elements of an authorization request • ALFA is entirely attribute-based o Therefore, an authorization request is (nearly exclusively) made up of attributes • An attribute is made up of o A category e.g. subject o A datatype e.g. string o An identifier (a urn) e.g. com.acme.user.name • Attributes can be multi-valued o citizenship can contain multiple values e.g. Swiss and Swedish • ALFA supports o 4 default categories: subject, action, resource, and environment – ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/) • ALFA is extensible o You can add categories and datatypes if you so desire o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers, dates)
6 axiomatics.com axiomatics.com Authorization Request UML Diagram 💗
7 axiomatics.com {"Request": { "AccessSubject": [{"Attribute": [ {"AttributeId":"axiomatics.demo.user.userId","Value":["Alice Anderson"]} ] }], "Resource": [{"Attribute": [ {"AttributeId":"axiomatics.demo.resourceType","Value":"record"}, {"AttributeId":"axiomatics.demo.record.recordId","Value":"123"} ] }], "Action": [{"Attribute": [ {"AttributeId":"axiomatics.demo.actionId","Value":"view"} ] }] } Can Alice Anderson view record 123? Sample Authorization Request Each category is an array of attributes An attribute in its simplest form is a key-value pair A request is an array of categories.
8 axiomatics.com Generic Form: Can Dave view record 125? Sample Authorization Request {"Request": { "Category": [ {"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "Attribute": [{"AttributeId": "user.employeeId","Value": "Dave"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:action", "Attribute": [{"AttributeId": "action.actionId","Value": "view"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:resource", "Attribute": [ {"AttributeId": "object.objectType","Value": "record"}, {"AttributeId": "record.recordId","Value": "125"}]} ] } }
9 axiomatics.com axiomatics.com Authorization Response UML Diagram 💗
10 axiomatics.com axiomatics.com Features of the Authorization Response • The response contains an array of results (to be able to support the Multiple Decision Profile) • Each result contains o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ o An optional status that can be used to convey errors e.g. missing attributes or division by zero o An optional array of obligations and advice o An optional array of attributes and their values used in the decision making process o An optional array of identifiers pointing to the policies used in the evaluation process
11 axiomatics.com axiomatics.com Additional Features • An Authorization Request can ask the PDP to return the identifiers of the policies evaluated o ReturnPolicyIdList – type boolean; default value is false – This is useful to trace an evaluation or understand which policy triggered the eventual decision o CombinedDecision – type boolean; default value is false – In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP returning 2 decisions (Permit, Deny), those decisions can be combined into a single one. • Policies can contain obligations & advice which are additional statements that may be returned alongside a decision e.g. o Permit + obligation to use MFA o It’s on the PEP to comply with the obligation
12 axiomatics.com axiomatics.com Sample Authorization Responses {"Response": [ { "Decision": "Permit" } ]} {"Response": [ { "Decision": "Deny", "PolicyIdentifierList": { "PolicyIdReference": [ {"Id": "viewRecords.employeesViewRecords","Version": "1.0"} ], "PolicySetIdReference": [ {"Id": "mainRecords.viewRecords","Version": "1.0"}, {"Id": "tutorial.main","Version": "1.0"} ] } } ]} The simplest kind of response. Note it’s an array A sample response with policy identifiers
13 axiomatics.com axiomatics.com Sample Authorization Response with Obligations {"Response": [{ "Decision": "Deny", "AssociatedAdvice": [ { "Id": "tutorial.denyMessage", "AttributeAssignment": [ { "AttributeId": "message.denyReason", "Value": "Sorry, Dave, you can't do that because you do not have a role", "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", } ] } ] }]} This response contains additional statements called obligations
14 axiomatics.com axiomatics.com Simplifications • Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified • Some fields that are mandatory in XACML are optional in the JSON representation and have a default value o E.g. XPathVersion (not very useful in a JSON world)
15 axiomatics.com axiomatics.com Features ALFA does not have by design • You cannot ask the PDP to only consider a subset of policies o It is not up to the requester to decide what applies to them • You cannot send the PDP a policy to execute o It is configured beforehand through different means (see PAP-PDP) • As previously mentioned, no ‘search’ or partial evaluation o Vendors e.g. Axiomatics have implemented their own approach No, you don’t get to tell me what the law is. You cannot ride a wooden horse on I-401
16 axiomatics.com axiomatics.com Things that could be simplified (and that AuthZEN should do) • Let’s fully drop features and parameters that are really only meaningful in XACML but not in ALFA or in modern-day XMLless worlds • Let’s support 2 decisions only: Permit and Deny
17 axiomatics.com axiomatics.com Extending the JSON Profile to support Search • Essentially, the same request structure could be used. • One would have to add the desired decision, typically Permit o What can Alice do? o Give me the list of items Alice can delete • Standardizing the request is straightforward o Standardizing the response is harder o Is it a filter? o Is it the list of items?
18 axiomatics.com axiomatics.com References • JSON Profile of XACML 3.0 Version 1.1 • REST Profile of XACML v3.0 Version 1.0 • XACML v3.0 Multiple Decision Profile Version 1.0 • ALFA - the Abbreviated Language for Authorization • Sample Requests - Postman Collection
19 axiomatics.com Thank you

Recomendados

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
David Brossard
 
Open Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapOpen Source Compliance Automation Capability Map
Open Source Compliance Automation Capability Map
Shane Coughlan
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
HDP Next: Governance
HDP Next: GovernanceHDP Next: Governance
HDP Next: Governance
DataWorks Summit
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
BIOVIA
 
Data Governance Initiative
Data Governance InitiativeData Governance Initiative
Data Governance Initiative
DataWorks Summit
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
android-vish
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 

Recomendados

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
David Brossard
 
Open Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapOpen Source Compliance Automation Capability Map
Open Source Compliance Automation Capability Map
Shane Coughlan
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
HDP Next: Governance
HDP Next: GovernanceHDP Next: Governance
HDP Next: Governance
DataWorks Summit
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
BIOVIA
 
Data Governance Initiative
Data Governance InitiativeData Governance Initiative
Data Governance Initiative
DataWorks Summit
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
android-vish
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
gemziebeth
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
Restlet
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
Dong Ngoc
 
Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)
Mary Jo Sminkey
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
Pega overview
Pega overviewPega overview
Pega overview
Ashock Roy
 
Pega | pega Bpm Training
Pega | pega Bpm TrainingPega | pega Bpm Training
Pega | pega Bpm Training
Pega Bpm Training Tutorials
 
What is rules in pega
What is rules in pegaWhat is rules in pega
What is rules in pega
Pega Bpm Training Tutorials
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
Luca Mattia Ferrari
 
REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25
Jon Petter Hjulstad
 
Design API using RAML - basics
Design API using RAML - basicsDesign API using RAML - basics
Design API using RAML - basics
kunal vishe
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
Erik Hatcher
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Mule soft RAML API Designing
Mule soft RAML API DesigningMule soft RAML API Designing
Mule soft RAML API Designing
Raja Reddy
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
Erik Hatcher
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
aspyker
 
Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]
Open Badges
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Narendra Kumar
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
Matthew Vaughn
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
David Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
David Brossard
 

Más contenido relacionado

Similar a OpenID AuthZEN ALFA PEP-PDP Prior Art

Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
Erik Hatcher
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
aspyker
 

Similar a OpenID AuthZEN ALFA PEP-PDP Prior Art (20)

Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
 
Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
Pega overview
Pega overviewPega overview
Pega overview
 
Pega | pega Bpm Training
Pega | pega Bpm TrainingPega | pega Bpm Training
Pega | pega Bpm Training
 
What is rules in pega
What is rules in pegaWhat is rules in pega
What is rules in pega
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25
 
Design API using RAML - basics
Design API using RAML - basicsDesign API using RAML - basics
Design API using RAML - basics
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
 
Mule soft RAML API Designing
Mule soft RAML API DesigningMule soft RAML API Designing
Mule soft RAML API Designing
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
 
Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
 

Más de David Brossard

Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard
 

Más de David Brossard (15)

ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

OpenID AuthZEN ALFA PEP-PDP Prior Art

  • 1. 1 axiomatics.com OpenID AuthZEN Prior Art ALFA - Abbreviated Language for Authorization David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/
  • 2. 2 axiomatics.com axiomatics.com TL;DR; There’s an OpenAPI specification for the interfaces I am about to cover. 👉GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec
  • 3. 3 axiomatics.com axiomatics.com Background • ALFA is first and foremost a policy language • ALFA follows NIST’s ABAC special publication o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC • ALFA is based on XACML o It uses a lightweight syntax similar to Java • ALFA leverages the JSON Profile of XACML to send/receive authorization requests o JSON Profile of XACML 3.0 Version 1.1 • The JSON Profile of XACML references the REST Profile of XACML for the actual transport o REST Profile of XACML v3.0 Version 1.0 • The transport part (HTTP…) is entirely decoupled from the request/response format. o They’re 2 different specs (see above)
  • 4. 4 axiomatics.com axiomatics.com Use Cases ALFA supports the same authorization use cases as XACML: • Binary authorization request o Can Alice view Document #1? o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ • Batch authorization requests o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3? o 3x3x3 decisions are returned o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0 • ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search o This is something vendors have had to build themselves o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation
  • 5. 5 axiomatics.com axiomatics.com Attributes are the core elements of an authorization request • ALFA is entirely attribute-based o Therefore, an authorization request is (nearly exclusively) made up of attributes • An attribute is made up of o A category e.g. subject o A datatype e.g. string o An identifier (a urn) e.g. com.acme.user.name • Attributes can be multi-valued o citizenship can contain multiple values e.g. Swiss and Swedish • ALFA supports o 4 default categories: subject, action, resource, and environment – ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/) • ALFA is extensible o You can add categories and datatypes if you so desire o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers, dates)
  • 8. 8 axiomatics.com Generic Form: Can Dave view record 125? Sample Authorization Request {"Request": { "Category": [ {"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "Attribute": [{"AttributeId": "user.employeeId","Value": "Dave"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:action", "Attribute": [{"AttributeId": "action.actionId","Value": "view"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:resource", "Attribute": [ {"AttributeId": "object.objectType","Value": "record"}, {"AttributeId": "record.recordId","Value": "125"}]} ] } }
  • 10. 10 axiomatics.com axiomatics.com Features of the Authorization Response • The response contains an array of results (to be able to support the Multiple Decision Profile) • Each result contains o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ o An optional status that can be used to convey errors e.g. missing attributes or division by zero o An optional array of obligations and advice o An optional array of attributes and their values used in the decision making process o An optional array of identifiers pointing to the policies used in the evaluation process
  • 11. 11 axiomatics.com axiomatics.com Additional Features • An Authorization Request can ask the PDP to return the identifiers of the policies evaluated o ReturnPolicyIdList – type boolean; default value is false – This is useful to trace an evaluation or understand which policy triggered the eventual decision o CombinedDecision – type boolean; default value is false – In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP returning 2 decisions (Permit, Deny), those decisions can be combined into a single one. • Policies can contain obligations & advice which are additional statements that may be returned alongside a decision e.g. o Permit + obligation to use MFA o It’s on the PEP to comply with the obligation
  • 12. 12 axiomatics.com axiomatics.com Sample Authorization Responses {"Response": [ { "Decision": "Permit" } ]} {"Response": [ { "Decision": "Deny", "PolicyIdentifierList": { "PolicyIdReference": [ {"Id": "viewRecords.employeesViewRecords","Version": "1.0"} ], "PolicySetIdReference": [ {"Id": "mainRecords.viewRecords","Version": "1.0"}, {"Id": "tutorial.main","Version": "1.0"} ] } } ]} The simplest kind of response. Note it’s an array A sample response with policy identifiers
  • 13. 13 axiomatics.com axiomatics.com Sample Authorization Response with Obligations {"Response": [{ "Decision": "Deny", "AssociatedAdvice": [ { "Id": "tutorial.denyMessage", "AttributeAssignment": [ { "AttributeId": "message.denyReason", "Value": "Sorry, Dave, you can't do that because you do not have a role", "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", } ] } ] }]} This response contains additional statements called obligations
  • 14. 14 axiomatics.com axiomatics.com Simplifications • Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified • Some fields that are mandatory in XACML are optional in the JSON representation and have a default value o E.g. XPathVersion (not very useful in a JSON world)
  • 15. 15 axiomatics.com axiomatics.com Features ALFA does not have by design • You cannot ask the PDP to only consider a subset of policies o It is not up to the requester to decide what applies to them • You cannot send the PDP a policy to execute o It is configured beforehand through different means (see PAP-PDP) • As previously mentioned, no ‘search’ or partial evaluation o Vendors e.g. Axiomatics have implemented their own approach No, you don’t get to tell me what the law is. You cannot ride a wooden horse on I-401
  • 16. 16 axiomatics.com axiomatics.com Things that could be simplified (and that AuthZEN should do) • Let’s fully drop features and parameters that are really only meaningful in XACML but not in ALFA or in modern-day XMLless worlds • Let’s support 2 decisions only: Permit and Deny
  • 17. 17 axiomatics.com axiomatics.com Extending the JSON Profile to support Search • Essentially, the same request structure could be used. • One would have to add the desired decision, typically Permit o What can Alice do? o Give me the list of items Alice can delete • Standardizing the request is straightforward o Standardizing the response is harder o Is it a filter? o Is it the list of items?
  • 18. 18 axiomatics.com axiomatics.com References • JSON Profile of XACML 3.0 Version 1.1 • REST Profile of XACML v3.0 Version 1.0 • XACML v3.0 Multiple Decision Profile Version 1.0 • ALFA - the Abbreviated Language for Authorization • Sample Requests - Postman Collection